This sounds very interesting. I am glad that there are so many people interested in finding a good fix for the PKI / Smartcard authentication. One thing that I would like to stay away from is having all the "Requesters" need to have a record in the user table. (We have around 7000 people that just need Requester access.)
Carolyn -----Original Message----- From: Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 10:07 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smar t card The redirect is handle by the 401 Errors. If you are not in the group hence 401 on the website. Once redirected you must have CAC and a reason to register. Registration info and harvested data is used to create the AD account. What I am looking for is a more direct approach within ARS itself. Thanks, Dave -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of patrick zandi Sent: Tuesday, October 10, 2006 10:34 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smar t card This is interesting.. sounds a little like the AF Portal.. The problem with AF Portal is the Embedded password into the scripting.. This is a little on the "2 taco's shy of a combination plate" aspect.. But it souds like you are not doing that.. interesting.. is this in JSP ? the redirector and then into remedy.. would like to see that if possible.. MSgt Patrick Zandi, USAF On 10/10/06, Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 <[EMAIL PROTECTED]> wrote: > Hello Carolyn, > > What we have done at our activity is to tie the CAC PKI SmartCard to > the Active Directory and assign AD users to a Remedy Group. That > group has permissions to the Virtual Website that hosts the Remedy > MidTier. Much like your "Trust" comment below. Additionally, we > redirect any user that attempts to access Remedy MidTier to a > registration page that collects their CAC data to create an AD > account. Once their request is approved their AD account is added to > the Remedy group. It is not where we want to be but we have our > Remedy MidTier and Production servers on separate AD Domains. > > Thank You for your feedback, > Dave Davis > > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Wixson Carolyn L PSNS > Sent: Friday, October 06, 2006 10:07 > To: arslist@ARSLIST.ORG > Subject: Re: Authenticate an ARS user using a certificate stored on a > smar t card > > Hi! > > Here is what we plan on doing so far, only on the mid-tier (6.3): > > All of our users are authenticated, so we provide a link for > Requesters to a JSP page that gets the user name and logs them in with it. > > Once they are in, an Active link runs a process that calls another JSP > page to get the Windows user name again and compares it to the $USER$. > (This is to ensure that someone does not work-around the auto-login > page.) Both of these JSP pages are based from KM-000000010678 "How can > I use my NT domain name to log me directly into the Mid-Tier without > having to be directed to login.jsp?" > > There are other Active links that run to ensure that the login meets > other criteria as well. > > This will work if everyone is authenticated, but as you said, it does > not check the certificate. > > On the windows client, it is pretty much available to just Customer > Support and they login. If a user does access the windows client, > there are some Active Links that limit the use, etc. > > I am looking at other solutions, but I believe that the above will > work for now. We have not moved this to production yet. We have never > used the Mid-Tier before, but now that we are going to allow > requesters to submit their own tickets, it seems a good way to go. > > I hope this helps. > > Carolyn Wixson > > > > -----Original Message----- > From: Rebecca Hammond [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 05, 2006 7:46 > To: arslist@ARSLIST.ORG > Subject: Re: Authenticate an ARS user using a certificate stored on a > smart card > > > Nothing, yet. Based on research, seems that it can't be done - you > can set up a "trust" (which our security people get indignant at > calling it > that) - meaning, if you want to "trust" that just because someone got > on to a machine with a smart card, you could grab the user name get > them into the system that way. But you can't have the AR Server and > the client communicate with certificates. > > However, on the mid-tier, we can use certificates, as we'll do all of > the authentication work using SiteMinder... > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Davis, David CTR > NAVSURFWARCENDIV Crane, Code 0552 > Sent: Thursday, October 05, 2006 1:24 PM > To: arslist@ARSLIST.ORG > Subject: Re: Authenticate an ARS user using a certificate stored on a > smart card > > Rebecca > > Have you been able to integrated ARS authentication with the PKI > SmartCard yet? If so, what tools did you use. > > Thanks, > Dave Davis > Software Systems Engineer - SAIC > > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Rebecca Hammond > Sent: Wednesday, September 13, 2006 13:39 > To: arslist@ARSLIST.ORG > Subject: Re: Authenticate an ARS user using a certificate stored on a > smart card > > Am I the only one who isn't totally confused by the white paper? I'm > just not clear on how I'm supposed to write an Authenticator of my > own, that handles PKI or SmartCard technology. > > Is it just because with SSO, it pulls the information from your OS? > > Does anyone have any samples of what these Authenticators might look > like? > > Thanks in advance! > > -Rebecca Hammond > > On Fri, 11 Aug 2006 14:11:45 -0700, Easter, David > <[EMAIL PROTECTED]> > wrote: > > >Daniel, > > > > You may want to take a look at the "Integrating BMC Remedy Action > >Request System with Single Sign-On (SSO)" white paper that was > >updated for AR System 7.00.00. It also applies to other client-side > >login intercept technologies like smart cards or PKI. > > > >It is available on http://supportweb.remedy.com in the Documents > >section. > > > >David J. Easter > >Sr. Product Manager - BMC Software > > > >-----Original Message----- > >From: Action Request System discussion list(ARSList) > >[mailto:[EMAIL PROTECTED] On Behalf Of CONDREA, Daniel > >Sent: Thursday, August 10, 2006 10:53 PM > >To: arslist@ARSLIST.ORG > >Subject: Authenticate an ARS user using a certificate stored on a > >smart > > >card > > > >Hi All, > > > >Can anybody suggest a way to authenticate an ARS user using a > >certificate stored on a smart card? > > > >The end user can not authenticate with a username and a password. > >He/she can only authenticate using the certificate stored in the > smartcard. > > > >Best regards, > >Daniel Condrea > > > >-- > > > >*****DISCLAIMER***** > > > >The information contained in this communication is confidential and > >may > > >be legally privileged. It is intended solely for the use of the > >individual or entity to whom it is addressed and others authorized to > >receive it. If you are not the intended recipient you are hereby > >notified that any disclosure, copying, distribution or taking action > >in > > >reliance of the contents of this information is strictly prohibited > >and > > >may be unlawful. Orange Romania S.A. is neither liable for the > >proper, complete transmission of the information contained in this > >communication nor any delay in its receipt. > > > >*****END OF DISCLAIMER***** > > > >_____________________________________________________________________ > >__ > >_ > >_______ > >UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > > > >_____________________________________________________________________ > >__ > >____ > ____ > >UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > >===================================================================== > >== > >= > > ______________________________________________________________________ > __ > _______ > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > > ______________________________________________________________________ > __ > ____ > ___ > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > > ______________________________________________________________________ > __ > ____ > ___ > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > > ______________________________________________________________________ > __ > _______ > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > > ______________________________________________________________________ > _________ UNSUBSCRIBE or access ARSlist Archives at > http://www.wwrug.org > -- Patrick Zandi ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org ____________________________________________________________________________ ___ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
